What retailers can learn from Sony data breach

The computer hack of Sony internal data and emails has suddenly become, well, terrifying, The group, Guardians of Peace, which took credit for hacking the entertainment giant's internal data—and released a lot of it—in late November now says it is planning an attack on movie theaters that are showing the new movie "The Interview."

The comedy, which stars Seth Rogen and James Franco, is about an assassination attempt on North Korean leader Kim Jong-un.  In addition to the movie theater warning, the Guardians of Peace released a "Christmas gift" of Sony Pictures CEO Michael Lynton's emails, and claims to have 12,000 CDs full of the company's internal data.

Even more alarming are allegations that Sony could have prevented the massive internal data breach. Two Sony employees, Christina Mathis and Michael Corona, sued the company in federal court this week, alleging that the company did not take enough precautions to keep employee and employees' family data safe.

Sony was aware of the insecurity in its network, the employees allege. There were only 11 people on the Sony information security team at the time of the attack. Plus, in a Sony audit from July 14 to August 1, 2014, PricewaterhouseCoopers found one firewall and more than 100 other devices that were not being monitored by the corporate security team charged with oversight of infrastructure; instead they were overseen by the studio's in-house group, which was tracking activity on logs.

The auditors said the issue could slow Sony's response to a problem. The confidential report, dated Sept. 25, was among the emails that hackers released to the public.

"The real problem lies in the fact that there was no real investment in or real understanding of what information security is," a former employee told Fusion. For example, sensitive files on Sony Pictures' network were not encrypted internally or password-protected. The Guardians of Peace found a file with Sony usernames and passwords, boldly titled "Usernames&Passwords".

The terrorist threats notwithstanding, the message is clear for retailers and all companies: pay whatever it takes to protect your internal and external data. Have the technology, systems, and practices in place to prevent these awful data breaches. Not only does the security of your company, employees and customers depend upon it, but your reputation does as well.

For more:
-See this TechCrunch article
-See this Fusion article
-See this TechCrunch article
-See this re/code article

Related articles:
Sony computers hacked in possible blackmail
Retail security still very much under attack
Target found negligent in data breach
Charge Anywhere reports data breach
Asset management critical to IT security